Adding wrapper scripts for neutron agent subprocesses

The neutron agents use subprocesses like dnsmasq and keepalived as part
of their implementation. Running these "subprocesses" in separate
containers prevent dataplane breakages/unnecessary failover on agent
container restart.

Also amends docker daemon options to allow including additional unix
domain sockets to bind to the docker daemon. The paths can be mounted by
containers that launch containers instead of mounting /run/docker.sock.
This avoids issues if the docker daemon is restarted while the containers
are running.

Related-Bug: #1749209
Change-Id: Icd4c24ac686d957391548a04722266cefc1bce27

manifests/profile/base/docker.pp

@@ -33,6 +33,10 @@
 #   OPTIONS that are used to startup the docker service.
 #   Defaults to '--log-driver=journald --signature-verification=false --iptables=false --live-restore'
 #
+# [*additional_sockets*]
+#   Array of addtional domain sockets for the docker daemon to bind to.
+#   Defaults to undef
+#
 # [*configure_network*]
 #   Boolean. Whether to configure the docker network. Defaults to false.
 #
@@ -82,6 +86,7 @@ class tripleo::profile::base::docker (
   $insecure_registries = undef,
   $registry_mirror     = false,
   $docker_options      = '--log-driver=journald --signature-verification=false --iptables=false --live-restore',
+  $additional_sockets  = undef,
   $configure_network   = false,
   $network_options     = '',
   $configure_storage   = true,
@@ -132,7 +137,15 @@ class tripleo::profile::base::docker (
       } else {
         $selinux_enabled_string = ''
       }
-      $options_changes = [ "set OPTIONS '\"${docker_options}${selinux_enabled_string}\"'" ]
+      if $additional_sockets {
+        $arg_string = join(prefix(any2array($additional_sockets), '-H unix://'), ' ')
+        # We include the typical default socket to make sure other docker clients
+        # will work.
+        $add_sockets = " -H unix:///run/docker.sock ${arg_string}"
+      } else {
+        $add_sockets = ''
+      }
+      $options_changes = [ "set OPTIONS '\"${docker_options}${add_sockets}${selinux_enabled_string}\"'" ]
     } else {
       $options_changes = [ 'rm OPTIONS' ]
     }
@@ -250,10 +263,24 @@ class tripleo::profile::base::docker (
       require => Package['docker'],
     }
 
-    if $deployment_user {
+    if $additional_sockets {
+      # When specifying additional sockets, ensure that the directory
+      # exists for each one.
+      any2array($additional_sockets).each | String $sock_path | {
+        file {dirname($sock_path):
+          ensure => directory,
+          notify => Service['docker']
+        }
+      }
+    }
+
+    if $deployment_user or $additional_sockets {
       ensure_resource('group', 'docker', {
-        'ensure' => 'present',
+        'ensure' => 'present'
       })
+    }
+
+    if $deployment_user {
       ensure_resource('user', $deployment_user, {
         'name'   => $deployment_user,
         'groups' => 'docker',

manifests/profile/base/neutron/dhcp_agent_wrappers.pp

@@ -0,0 +1,89 @@
+# Copyright 2018 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Class: tripleo::profile::base::neutron::dhcp_agent_wrappers
+#
+# Generates wrapper scripts for running dhcp agent subprocesess in containers.
+#
+# === Parameters
+#
+# [*enable_dnsmasq_wrapper*]
+#  (Optional) If true, generates a wrapper for running dnsmasq in
+#  a docker container.
+#  Defaults to false
+#
+# [*dnsmasq_process_wrapper*]
+#   (Optional) Filename for dnsmasq wrapper in the specified file.
+#   Defaults to undef
+#
+# [*dnsmasq_image*]
+#   (Optional) Docker image name for dnsmasq. Required if
+#   dnsmasq_process_wrapper is set.
+#   Defaults to undef
+#
+# [*enable_haproxy_wrapper*]
+#  (Optional) If true, generates a wrapper for running haproxy in
+#  a docker container.
+#  Defaults to false
+#
+# [*haproxy_process_wrapper*]
+#   (Optional) If set, generates a haproxy wrapper in the specified file.
+#   Defaults to undef
+#
+# [*haproxy_image*]
+#   (Optional) Docker image name for haproxy. Required if
+#   haproxy_process_wrapper is set.
+#   Defaults to undef
+#
+# [*bind_sockets*]
+#   (Optional) Domain sockets that the wrappers should use for accessing
+#   the docker daemon.
+#   Defaults to hiera('tripleo::profile::base::docker::additional_sockets', ['/run/docker.sock'])
+#
+class tripleo::profile::base::neutron::dhcp_agent_wrappers (
+  $enable_dnsmasq_wrapper    = false,
+  $dnsmasq_process_wrapper   = undef,
+  $dnsmasq_image             = undef,
+  $enable_haproxy_wrapper    = false,
+  $haproxy_process_wrapper   = undef,
+  $haproxy_image             = undef,
+  $bind_sockets              = hiera('tripleo::profile::base::docker::additional_sockets', ['/run/docker.sock']),
+) {
+  unless $bind_sockets {
+    fail('The wrappers require a domain socket for accessing the docker daemon')
+  }
+  $bind_socket = join(['unix://', $bind_sockets[0]], '')
+  if $enable_dnsmasq_wrapper {
+    unless $dnsmasq_image and $dnsmasq_process_wrapper{
+      fail('The docker image for dnsmasq and wrapper filename must be provided when generating dnsmasq wrappers')
+    }
+    tripleo::profile::base::neutron::wrappers::dnsmasq{'dhcp_dnsmasq_process_wrapper':
+      dnsmasq_process_wrapper => $dnsmasq_process_wrapper,
+      dnsmasq_image           => $dnsmasq_image,
+      bind_socket             => $bind_socket
+    }
+  }
+
+  if $enable_haproxy_wrapper {
+    unless $haproxy_image and $haproxy_process_wrapper{
+      fail('The docker image for haproxy and wrapper filename must be provided when generating haproxy wrappers')
+    }
+    tripleo::profile::base::neutron::wrappers::haproxy{'dhcp_haproxy_process_wrapper':
+      haproxy_process_wrapper => $haproxy_process_wrapper,
+      haproxy_image           => $haproxy_image,
+      ns_prefix               => 'qdhcp',
+      bind_socket             => $bind_socket
+    }
+  }
+}

manifests/profile/base/neutron/l3_agent_wrappers.pp

@@ -0,0 +1,160 @@
+# Copyright 2018 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Class: tripleo::profile::base::neutron::l3_agent_wrappers
+#
+# Generates wrapper scripts for running l3 agent subprocesess in containers.
+#
+# === Parameters
+#
+# [*enable_haproxy_wrapper*]
+#  (Optional) If true, generates a wrapper for running haproxy in
+#  a docker container.
+#  Defaults to false
+#
+# [*haproxy_process_wrapper*]
+#   (Optional) If set, generates a haproxy wrapper in the specified file.
+#   Defaults to undef
+#
+# [*haproxy_image*]
+#   (Optional) Docker image name for haproxy. Required if
+#   haproxy_process_wrapper is set.
+#   Defaults to undef
+#
+# [*enable_radvd_wrapper*]
+#  (Optional) If true, generates a wrapper for running radvd in
+#  a docker container.
+#  Defaults to false
+#
+# [*radvd_process_wrapper*]
+#   (Optional) If set, generates a radvd wrapper in the specified file.
+#   Defaults to undef
+#
+# [*radvd_image*]
+#   (Optional) Docker image name for haproxy. Required if radvd_process_wrapper
+#   is set.
+#   Defaults to undef
+#
+# [*enable_keepalived_wrapper*]
+#  (Optional) If true, generates a wrapper for running keepalived in
+#  a docker container.
+#  Defaults to false
+#
+# [*keepalived_process_wrapper*]
+#   (Optional) If set, generates a keepalived in the specified file.
+#   Defaults to undef
+#
+# [*keepalived_image*]
+#   (Optional) Docker image name for keepalived. Required if
+#   keepalived_process_wrapper is set.
+#   Defaults to undef
+#
+# [*keepalived_state_change_wrapper*]
+#   (Optional) If set, generates a wrapper for running neutron's keepalived
+#   state change daemon in the keepalived container. The keepalived wrapper and
+#   image must also be set if this is set.
+#   Defaults to undef
+#
+# [*enable_dibbler_wrapper*]
+#  (Optional) If true, generates a wrapper for running dibbler in
+#  a docker container.
+#  Defaults to false
+#
+# [*dibbler_process_wrapper*]
+#   (Optional) If set, generates a dibbler in the specified file.
+#   Defaults to undef
+#
+# [*dibbler_image*]
+#   (Optional) Docker image name for dibbler. Required if dibbler_process_wrapper is set.
+#   Defaults to undef
+#
+# [*bind_sockets*]
+#   (Optional) Domain sockets that the wrappers should use for accessing
+#   the docker daemon.
+#   Defaults to hiera('tripleo::profile::base::docker::additional_sockets', ['/run/docker.sock'])
+#
+class tripleo::profile::base::neutron::l3_agent_wrappers (
+  $enable_haproxy_wrapper             = false,
+  $haproxy_process_wrapper            = undef,
+  $haproxy_image                      = undef,
+  $enable_radvd_wrapper               = false,
+  $radvd_process_wrapper              = undef,
+  $radvd_image                        = undef,
+  $enable_keepalived_wrapper          = false,
+  $keepalived_process_wrapper         = undef,
+  $keepalived_image                   = undef,
+  $keepalived_state_change_wrapper    = undef,
+  $enable_dibbler_wrapper             = false,
+  $dibbler_process_wrapper            = undef,
+  $dibbler_image                      = undef,
+  $bind_sockets                       = hiera('tripleo::profile::base::docker::additional_sockets', ['/run/docker.sock']),
+) {
+  unless $bind_sockets {
+    fail('The wrappers require a domain socket for accessing the docker daemon')
+  }
+  $bind_socket = join(['unix://', $bind_sockets[0]], '')
+  if $enable_haproxy_wrapper {
+    unless $haproxy_image and $haproxy_process_wrapper{
+      fail('The docker image for haproxy and wrapper filename must be provided when generating haproxy wrappers')
+    }
+    tripleo::profile::base::neutron::wrappers::haproxy{'l3_haproxy_process_wrapper':
+      haproxy_process_wrapper => $haproxy_process_wrapper,
+      haproxy_image           => $haproxy_image,
+      ns_prefix               => 'qrouter',
+      bind_socket             => $bind_socket,
+    }
+  }
+
+  if $enable_radvd_wrapper {
+    unless $radvd_image and $radvd_process_wrapper{
+      fail('The docker image for radvd and wrapper filename must be provided when generating radvd wrappers')
+    }
+    tripleo::profile::base::neutron::wrappers::radvd{'l3_radvd_process_wrapper':
+      radvd_process_wrapper => $radvd_process_wrapper,
+      radvd_image           => $radvd_image,
+      bind_socket           => $bind_socket,
+    }
+  }
+
+  if $enable_keepalived_wrapper {
+    unless $keepalived_image and $keepalived_process_wrapper{
+      fail('The docker image for keepalived and wrapper filename must be provided when generating keepalived wrappers')
+    }
+    tripleo::profile::base::neutron::wrappers::keepalived{'l3_keepalived':
+      keepalived_process_wrapper => $keepalived_process_wrapper,
+      keepalived_image           => $keepalived_image,
+      ns_prefix                  => 'qrouter',
+      bind_socket                => $bind_socket,
+    }
+    unless $keepalived_state_change_wrapper {
+      fail('The keepalived state change wrapper must also be configured when generating keepalived wrappers')
+    }
+    tripleo::profile::base::neutron::wrappers::keepalived_state_change{'l3_keepalived_state_change':
+      keepalived_state_change_wrapper => $keepalived_state_change_wrapper,
+      ns_prefix                       => 'qrouter',
+      bind_socket                     => $bind_socket,
+    }
+  }
+
+  if $enable_dibbler_wrapper {
+    unless $dibbler_image and $dibbler_process_wrapper{
+      fail('The docker image for dibbler and wrapper filename must be provided when generating dibbler wrappers')
+    }
+    tripleo::profile::base::neutron::wrappers::dibbler_client{'l3_dibbler_daemon':
+      dibbler_process_wrapper => $dibbler_process_wrapper,
+      dibbler_image           => $dibbler_image,
+      bind_socket             => $bind_socket,
+    }
+  }
+}

manifests/profile/base/neutron/wrappers/dibbler_client.pp

@@ -0,0 +1,43 @@
+# Copyright 2018 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == define: tripleo::profile::base::neutron::wrappers::dibbler_client
+#
+# Generates wrapper script for running dibbler in a container.
+#
+# === Parameters
+#
+# [*dibbler_process_wrapper*]
+#   Filename for dibbler wrapper script.
+#
+# [*dibbler_image*]
+#   Docker image name for dibbler.
+#
+# [*bind_socket*]
+#   Socket for accessing the docker daemon.
+#
+define tripleo::profile::base::neutron::wrappers::dibbler_client (
+  $dibbler_process_wrapper,
+  $dibbler_image,
+  $bind_socket,
+) {
+    file { $dibbler_process_wrapper:
+      ensure  => file,
+      mode    => '0755',
+      content => epp('tripleo/neutron/dibbler-client.epp', {
+        'image_name'  => $dibbler_image,
+        'bind_socket' => $bind_socket
+        })
+    }
+}

manifests/profile/base/neutron/wrappers/dnsmasq.pp

@@ -0,0 +1,43 @@
+# Copyright 2018 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == define: tripleo::profile::base::neutron::wrappers::dnsmasq
+#
+# Generates wrapper script for running dnsmasq in a container.
+#
+# === Parameters
+#
+# [*dnsmasq_process_wrapper*]
+#   Filename for dnsmasq wrapper script.
+#
+# [*dnsmasq_image*]
+#   Docker image name for dnsmasq.
+#
+# [*bind_socket*]
+#   Socket for accessing the docker daemon.
+#
+define tripleo::profile::base::neutron::wrappers::dnsmasq (
+  $dnsmasq_process_wrapper,
+  $dnsmasq_image,
+  $bind_socket,
+) {
+    file { $dnsmasq_process_wrapper:
+      ensure  => file,
+      mode    => '0755',
+      content => epp('tripleo/neutron/dnsmasq.epp', {
+        'image_name'  => $dnsmasq_image,
+        'bind_socket' => $bind_socket
+        })
+    }
+}

manifests/profile/base/neutron/wrappers/haproxy.pp

@@ -0,0 +1,48 @@
+# Copyright 2018 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == define: tripleo::profile::base::neutron::wrappers::haproxy
+#
+# Generates wrapper script for running haproxy in a container.
+#
+# === Parameters
+#
+# [*haproxy_process_wrapper*]
+#   Filename for haproxy wrapper script.
+#
+# [*haproxy_image*]
+#   Docker image name for haproxy.
+#
+# [*ns_prefix*]
+#   Prefix for namespace (e.g. qrouter-, qdhcp-)
+#
+# [*bind_socket*]
+#   Socket for accessing the docker daemon.
+#
+define tripleo::profile::base::neutron::wrappers::haproxy (
+  $haproxy_process_wrapper,
+  $haproxy_image,
+  $ns_prefix,
+  $bind_socket,
+) {
+    file { $haproxy_process_wrapper:
+      ensure  => file,
+      mode    => '0755',
+      content => epp('tripleo/neutron/haproxy.epp', {
+        'image_name'  => $haproxy_image,
+        'ns_prefix'   => $ns_prefix,
+        'bind_socket' => $bind_socket,
+        })
+    }
+}

manifests/profile/base/neutron/wrappers/keepalived.pp

@@ -0,0 +1,48 @@
+# Copyright 2018 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == define: tripleo::profile::base::neutron::wrappers::keepalived
+#
+# Generates wrapper script for running keepalived in a container.
+#
+# === Parameters
+#
+# [*keepalived_process_wrapper*]
+#   Filename for keepalived wrapper script.
+#
+# [*keepalived_image*]
+#   Docker image name for keepalived.
+#
+# [*ns_prefix*]
+#   Prefix for namespace (e.g. qrouter-, qdhcp-)
+#
+# [*bind_socket*]
+#   Socket for accessing the docker daemon.
+#
+define tripleo::profile::base::neutron::wrappers::keepalived (
+  $keepalived_process_wrapper,
+  $keepalived_image,
+  $ns_prefix,
+  $bind_socket,
+) {
+    file { $keepalived_process_wrapper:
+      ensure  => file,
+      mode    => '0755',
+      content => epp('tripleo/neutron/keepalived.epp', {
+          'image_name'  => $keepalived_image,
+          'ns_prefix'   => $ns_prefix,
+          'bind_socket' => $bind_socket,
+        })
+    }
+}

manifests/profile/base/neutron/wrappers/keepalived_state_change.pp

@@ -0,0 +1,43 @@
+# Copyright 2018 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Class: tripleo::profile::base::neutron::wrappers::keepalived_state_change
+#
+# Generates wrapper script for running keepalived-state-change daemon in a container.
+#
+# === Parameters
+#
+# [*keepalived_state_change_wrapper*]
+#   Filename for neutron-keepalived-state-change wrapper script.
+#
+# [*ns_prefix*]
+#   Prefix for namespace (e.g. qrouter-, qdhcp-)
+#
+# [*bind_socket*]
+#   Socket for accessing the docker daemon.
+#
+define tripleo::profile::base::neutron::wrappers::keepalived_state_change (
+  $keepalived_state_change_wrapper,
+  $ns_prefix,
+  $bind_socket,
+) {
+    file { $keepalived_state_change_wrapper:
+      ensure  => file,
+      mode    => '0755',
+      content => epp('tripleo/neutron/neutron-keepalived-state-change.epp', {
+        'ns_prefix'   => $ns_prefix,
+        'bind_socket' => $bind_socket
+        })
+    }
+}

manifests/profile/base/neutron/wrappers/radvd.pp

@@ -0,0 +1,43 @@
+# Copyright 2018 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == define: tripleo::profile::base::neutron::wrappers::radvd
+#
+# Generates wrapper script for running radvd in a container.
+#
+# === Parameters
+#
+# [*radvd_process_wrapper*]
+#   Filename for radvd wrapper script.
+#
+# [*radvd_image*]
+#   Docker image name for radvd.
+#
+# [*bind_socket*]
+#   Socket for accessing the docker daemon.
+#
+define tripleo::profile::base::neutron::wrappers::radvd (
+  $radvd_process_wrapper,
+  $radvd_image,
+  $bind_socket,
+) {
+    file { $radvd_process_wrapper:
+      ensure  => file,
+      mode    => '0755',
+      content => epp('tripleo/neutron/radvd.epp', {
+          'image_name'  => $radvd_image,
+          'bind_socket' => $bind_socket,
+        })
+    }
+}

releasenotes/notes/add-neutron-agent-wrappers-bf84104f3607264b.yaml

@@ -0,0 +1,8 @@
+---
+features:
+  - |
+    Added parameters to generate wrapper scripts for the neutron dhcp and l3 agents
+    to run dnsmasq and keepalived, respectively, in separate containers.
+  - Added `tripleo::profile::base::docker::additional_sockets` to allow configuring
+    additional domain sockets bindings on dockerd. This facilitates creating
+    containers that need to access dockerd without having to mount /run.

spec/classes/tripleo_profile_base_docker_spec.rb

@@ -177,6 +177,18 @@ describe 'tripleo::profile::base::docker' do
       }
     end
 
+    context 'with additional domains sockets' do
+      let(:params) { {
+          :step              => 1,
+          :additional_sockets => ['/var/lib/openstack/docker.sock', '/var/run/some-other/docker.sock']
+      } }
+      it {
+        is_expected.to contain_augeas('docker-sysconfig-options').with_changes([
+            "set OPTIONS '\"--log-driver=journald --signature-verification=false --iptables=false --live-restore -H unix:///run/docker.sock -H unix:///var/lib/openstack/docker.sock -H unix:///var/run/some-other/docker.sock\"'",
+        ])
+      }
+
+    end
   end
 
   on_supported_os.each do |os, facts|

spec/classes/tripleo_profile_base_neutron_dhcp_spec.rb

@@ -0,0 +1,46 @@
+#
+# Copyright (C) 2017 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+
+require 'spec_helper'
+
+describe 'tripleo::profile::base::neutron::dhcp' do
+
+  shared_examples_for 'tripleo::profile::base::neutron::dhcp' do
+
+    before :each do
+      facts.merge!({ :step => params[:step] })
+    end
+
+    context 'with defaults for all parameters' do
+      let(:params) { { :step => 4 } }
+
+      it 'should do nothing' do
+        is_expected.to contain_class('tripleo::profile::base::neutron::dhcp')
+        is_expected.to contain_class('neutron::agents::dhcp')
+      end
+    end
+  end
+
+  on_supported_os.each do |os, facts|
+    context "on #{os}" do
+      let(:facts) do
+        facts.merge({ :hostname => 'node.example.com' })
+      end
+
+      it_behaves_like 'tripleo::profile::base::neutron::dhcp'
+    end
+  end
+end

spec/classes/tripleo_profile_base_neutron_l3_spec.rb

@@ -0,0 +1,46 @@
+#
+# Copyright (C) 2017 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+
+require 'spec_helper'
+
+describe 'tripleo::profile::base::neutron::l3' do
+
+  shared_examples_for 'tripleo::profile::base::neutron::l3' do
+
+    before :each do
+      facts.merge!({ :step => params[:step] })
+    end
+
+    context 'with defaults for all parameters' do
+      let(:params) { { :step => 4 } }
+
+      it 'should do nothing' do
+        is_expected.to contain_class('tripleo::profile::base::neutron::l3')
+        is_expected.to contain_class('neutron::agents::l3')
+      end
+    end
+  end
+
+  on_supported_os.each do |os, facts|
+    context "on #{os}" do
+      let(:facts) do
+        facts.merge({ :hostname => 'node.example.com' })
+      end
+
+      it_behaves_like 'tripleo::profile::base::neutron::l3'
+    end
+  end
+end

spec/defines/tripleo_profile_base_neutron_wrappers_dibbler_client_spec.rb

@@ -0,0 +1,58 @@
+#
+# Copyright (C) 2018 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+
+require 'spec_helper'
+
+describe 'tripleo::profile::base::neutron::wrappers::dibbler_client' do
+
+  let :title do
+    'dibbler_client'
+  end
+
+  shared_examples_for 'tripleo::profile::base::neutron::wrappers::dibbler_client' do
+
+    context 'creates wrapper file' do
+      let :params do {
+          :dibbler_process_wrapper  => '/usr/local/bin/dibbler-client',
+          :dibbler_image            => 'a_registry/some_container_name:some_tag',
+          :bind_socket              => 'unix:///run/another/docker.sock'
+      }
+      end
+
+      it 'should generate a wrapper file' do
+        is_expected.to contain_file('/usr/local/bin/dibbler-client').with(
+          :mode   => '0755'
+        )
+        is_expected.to contain_file('/usr/local/bin/dibbler-client').with_content(
+          /a_registry.some_container_name.some_tag/
+        )
+        is_expected.to contain_file('/usr/local/bin/dibbler-client').with_content(
+          /export DOCKER_HOST="unix:...run.another.docker.sock/
+        )
+      end
+    end
+  end
+
+  on_supported_os.each do |os, facts|
+    context "on #{os}" do
+      let(:facts) do
+        facts.merge({ :hostname => 'node.example.com' })
+      end
+
+      it_behaves_like 'tripleo::profile::base::neutron::wrappers::dibbler_client'
+    end
+  end
+end

spec/defines/tripleo_profile_base_neutron_wrappers_dnsmasq_spec.rb

@@ -0,0 +1,59 @@
+#
+# Copyright (C) 2018 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+
+require 'spec_helper'
+
+describe 'tripleo::profile::base::neutron::wrappers::dnsmasq' do
+
+  let :title do
+    'dnsmasq_wrapper'
+  end
+
+  shared_examples_for 'tripleo::profile::base::neutron::wrappers::dnsmasq' do
+
+    context 'creates wrapper file' do
+      let(:params) {
+        {
+          :dnsmasq_process_wrapper  => '/usr/local/bin/dnsmasq',
+          :dnsmasq_image            => 'a_registry/some_container_name:some_tag',
+          :bind_socket              => 'unix:///run/another/docker.sock'
+        }
+      }
+
+      it 'should generate a wrapper file' do
+        is_expected.to contain_file('/usr/local/bin/dnsmasq').with(
+          :mode   => '0755'
+        )
+        is_expected.to contain_file('/usr/local/bin/dnsmasq').with_content(
+          /a_registry.some_container_name.some_tag/
+        )
+        is_expected.to contain_file('/usr/local/bin/dnsmasq').with_content(
+          /export DOCKER_HOST="unix:...run.another.docker.sock/
+        )
+      end
+    end
+  end
+
+  on_supported_os.each do |os, facts|
+    context "on #{os}" do
+      let(:facts) do
+        facts.merge({ :hostname => 'node.example.com' })
+      end
+
+      it_behaves_like 'tripleo::profile::base::neutron::wrappers::dnsmasq'
+    end
+  end
+end

spec/defines/tripleo_profile_base_neutron_wrappers_haproxy_spec.rb

@@ -0,0 +1,63 @@
+#
+# Copyright (C) 2018 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+
+require 'spec_helper'
+
+describe 'tripleo::profile::base::neutron::wrappers::haproxy' do
+
+  let :title do
+    'haproxy_wrapper'
+  end
+
+  shared_examples_for 'tripleo::profile::base::neutron::wrappers::haproxy' do
+
+    context 'creates wrapper file' do
+      let(:params) {
+        {
+          :haproxy_process_wrapper  => '/usr/local/bin/haproxy',
+          :haproxy_image            => 'a_registry/some_container_name:some_tag',
+          :ns_prefix                => 'puppet-test',
+          :bind_socket              => 'unix:///run/another/docker.sock'
+        }
+      }
+
+      it 'should generate a wrapper file' do
+        is_expected.to contain_file('/usr/local/bin/haproxy').with(
+          :mode   => '0755'
+        )
+        is_expected.to contain_file('/usr/local/bin/haproxy').with_content(
+          /a_registry.some_container_name.some_tag/
+        )
+        is_expected.to contain_file('/usr/local/bin/haproxy').with_content(
+          /^NAME=neutron-haproxy-puppet-test-/
+        )
+        is_expected.to contain_file('/usr/local/bin/haproxy').with_content(
+          /export DOCKER_HOST="unix:...run.another.docker.sock/
+        )
+      end
+    end
+  end
+
+  on_supported_os.each do |os, facts|
+    context "on #{os}" do
+      let(:facts) do
+        facts.merge({ :hostname => 'node.example.com' })
+      end
+
+      it_behaves_like 'tripleo::profile::base::neutron::wrappers::haproxy'
+    end
+  end
+end

spec/defines/tripleo_profile_base_neutron_wrappers_keepalived_spec.rb

@@ -0,0 +1,60 @@
+#
+# Copyright (C) 2018 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+
+require 'spec_helper'
+
+describe 'tripleo::profile::base::neutron::wrappers::keepalived' do
+
+  let :title do
+    'keepalived_wrapper'
+  end
+
+  shared_examples_for 'tripleo::profile::base::neutron::wrappers::keepalived' do
+
+    context 'creates wrapper file' do
+      let(:params) {
+        {
+          :keepalived_process_wrapper  => '/usr/local/bin/keepalived',
+          :keepalived_image            => 'a_registry/some_container_name:some_tag',
+          :ns_prefix                   => 'puppet-test',
+          :bind_socket                 => 'unix:///run/another/docker.sock'
+        }
+      }
+
+      it 'should generate a wrapper file' do
+        is_expected.to contain_file('/usr/local/bin/keepalived').with(
+          :mode   => '0755'
+        )
+        is_expected.to contain_file('/usr/local/bin/keepalived').with_content(
+          /a_registry.some_container_name.some_tag/
+        )
+        is_expected.to contain_file('/usr/local/bin/keepalived').with_content(
+          /export DOCKER_HOST="unix:...run.another.docker.sock/
+        )
+      end
+    end
+  end
+
+  on_supported_os.each do |os, facts|
+    context "on #{os}" do
+      let(:facts) do
+        facts.merge({ :hostname => 'node.example.com' })
+      end
+
+      it_behaves_like 'tripleo::profile::base::neutron::wrappers::keepalived'
+    end
+  end
+end

spec/defines/tripleo_profile_base_neutron_wrappers_keepalived_state_change_spec.rb

@@ -0,0 +1,59 @@
+#
+# Copyright (C) 2018 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+
+require 'spec_helper'
+
+describe 'tripleo::profile::base::neutron::wrappers::keepalived_state_change' do
+
+  let :title do
+    'keepalived_state_change'
+  end
+
+  shared_examples_for 'tripleo::profile::base::neutron::wrappers::keepalived_state_change' do
+
+    context 'creates wrapper file' do
+      let(:params) {
+        {
+          :keepalived_state_change_wrapper  => '/usr/local/bin/keepalived-state-change',
+          :ns_prefix                        => 'puppet-test',
+          :bind_socket                      => 'unix:///run/another/docker.sock'
+        }
+      }
+
+      it 'should generate a wrapper file' do
+        is_expected.to contain_file('/usr/local/bin/keepalived-state-change').with(
+          :mode   => '0755'
+        )
+        is_expected.to contain_file('/usr/local/bin/keepalived-state-change').with_content(
+          /ip.netns.exec.*puppet-test.*neutron-keepalived-state-change/
+        )
+        is_expected.to contain_file('/usr/local/bin/keepalived-state-change').with_content(
+          /export DOCKER_HOST="unix:...run.another.docker.sock/
+        )
+      end
+    end
+  end
+
+  on_supported_os.each do |os, facts|
+    context "on #{os}" do
+      let(:facts) do
+        facts.merge({ :hostname => 'node.example.com' })
+      end
+
+      it_behaves_like 'tripleo::profile::base::neutron::wrappers::keepalived_state_change'
+    end
+  end
+end

spec/defines/tripleo_profile_base_neutron_wrappers_radvd_spec.rb

@@ -0,0 +1,62 @@
+#
+# Copyright (C) 2018 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+
+require 'spec_helper'
+
+describe 'tripleo::profile::base::neutron::wrappers::radvd' do
+
+  let :title do
+    'radvd_wrapper'
+  end
+
+  shared_examples_for 'tripleo::profile::base::neutron::wrappers::radvd' do
+
+    context 'creates wrapper file' do
+      let(:params) {
+        {
+          :radvd_process_wrapper  => '/usr/local/bin/radvd',
+          :radvd_image            => 'a_registry/some_container_name:some_tag',
+          :bind_socket            => 'unix:///run/another/docker.sock'
+        }
+      }
+
+      it 'should generate a wrapper file' do
+        is_expected.to contain_file('/usr/local/bin/radvd').with(
+          :mode   => '0755'
+        )
+        is_expected.to contain_file('/usr/local/bin/radvd').with_content(
+          /a_registry.some_container_name.some_tag/
+        )
+        is_expected.to contain_file('/usr/local/bin/radvd').with_content(
+          /^NAME=neutron-radvd-/
+        )
+        is_expected.to contain_file('/usr/local/bin/radvd').with_content(
+          /export DOCKER_HOST="unix:...run.another.docker.sock/
+        )
+      end
+    end
+  end
+
+  on_supported_os.each do |os, facts|
+    context "on #{os}" do
+      let(:facts) do
+        facts.merge({ :hostname => 'node.example.com' })
+      end
+
+      it_behaves_like 'tripleo::profile::base::neutron::wrappers::radvd'
+    end
+  end
+end

templates/neutron/dibbler-client.epp

@@ -0,0 +1,32 @@
+<%- | String $image_name = '', String $bind_socket = '' | -%>
+#!/bin/bash
+
+export DOCKER_HOST="<%=$bind_socket%>"
+# we want to "eat" the "start" command given by neutron and run
+# this in the foreground.
+shift
+ARGS="$@"
+
+# Extract the network namespace UUID from the command line args provided by
+# neutron. Typically of the form (with dnsmasq as an example):
+#
+# dnsmasq --no-hosts --no-resolv --except-interface=lo \
+#   --pid-file=/var/lib/neutron/dhcp/317716b8-919a-4a6f-8db1-78128ec3b100/pid  \
+#   --dhcp-hostsfile=/var/lib/neutron/dhcp/317716b8-919a-4a6f-8db1-78128ec3b100/host ...
+NETWORK_ID=$(echo $ARGS| awk '{if (match($0, /(\w{8}-\w{4}-\w{4}-\w{4}-\w{12})/,m)) print m[0] }')
+NAME=neutron-dibbler-${NETWORK_ID}
+docker stop $NAME || true
+docker rm -f $NAME || true
+
+docker run --detach \
+     -v /var/lib/config-data/puppet-generated/neutron/etc/neutron:/etc/neutron:ro \
+     -v /run/netns:/run/netns:shared \
+     -v /var/lib/neutron:/var/lib/neutron \
+     --net host \
+     --pid host \
+     --privileged \
+     --rm=true \
+     -u root \
+     --name $NAME \
+     <%=$image_name%> \
+     ip netns exec qrouter-${NETWORK_ID} /usr/sbin/dibbler-client run $ARGS

templates/neutron/dnsmasq.epp

@@ -0,0 +1,30 @@
+<%- | String $image_name = '', String $bind_socket = '' | -%>
+#!/bin/bash
+
+export DOCKER_HOST="<%=$bind_socket%>"
+ARGS="$@"
+
+# Extract the network namespace UUID from the command line args provided by
+# neutron. Typically of the form (with dnsmasq as an example):
+#
+# dnsmasq --no-hosts --no-resolv --except-interface=lo \
+#   --pid-file=/var/lib/neutron/dhcp/317716b8-919a-4a6f-8db1-78128ec3b100/pid  \
+#   --dhcp-hostsfile=/var/lib/neutron/dhcp/317716b8-919a-4a6f-8db1-78128ec3b100/host ...
+NETWORK_ID=$(echo $ARGS| awk '{if (match($0, /(\w{8}-\w{4}-\w{4}-\w{4}-\w{12})/,m)) print m[0] }')
+
+NAME=neutron-dnsmasq-${NETWORK_ID}
+docker stop $NAME || true
+docker rm -f $NAME || true
+
+docker run --detach \
+     -v /var/lib/config-data/puppet-generated/neutron/etc/neutron:/etc/neutron:ro \
+     -v /run/netns:/run/netns:shared \
+     -v /var/lib/neutron:/var/lib/neutron \
+     --net host \
+     --pid host \
+     --privileged \
+     --rm=true \
+     -u root \
+     --name $NAME \
+    <%=$image_name%> \
+    ip netns exec qdhcp-${NETWORK_ID} /usr/sbin/dnsmasq -k $ARGS

templates/neutron/haproxy.epp

@@ -0,0 +1,29 @@
+<%- | String $image_name = '', String $ns_prefix = '', String $bind_socket = '' | -%>
+#!/bin/bash
+
+export DOCKER_HOST="<%=$bind_socket%>"
+ARGS="$@"
+
+# Extract the network namespace UUID from the command line args provided by
+# neutron. Typically of the form (with dnsmasq as an example):
+#
+# dnsmasq --no-hosts --no-resolv --except-interface=lo \
+#   --pid-file=/var/lib/neutron/dhcp/317716b8-919a-4a6f-8db1-78128ec3b100/pid  \
+#   --dhcp-hostsfile=/var/lib/neutron/dhcp/317716b8-919a-4a6f-8db1-78128ec3b100/host ...
+NETWORK_ID=$(echo $ARGS| awk '{if (match($0, /(\w{8}-\w{4}-\w{4}-\w{4}-\w{12})/,m)) print m[0] }')
+NAME=neutron-haproxy-<%=$ns_prefix%>-${NETWORK_ID}
+docker stop $NAME || true
+docker rm -f $NAME || true
+
+docker run --detach \
+     -v /var/lib/config-data/puppet-generated/neutron/etc/neutron:/etc/neutron:ro \
+     -v /run/netns:/run/netns:shared \
+     -v /var/lib/neutron:/var/lib/neutron \
+     --net host \
+     --pid host \
+     --privileged \
+     --rm=true \
+     -u root \
+     --name $NAME \
+     <%=$image_name%> \
+     ip netns exec <%=$ns_prefix%>-${NETWORK_ID} /usr/sbin/haproxy -Ds $ARGS

templates/neutron/keepalived.epp

@@ -0,0 +1,32 @@
+<%- | String $image_name = '', String $ns_prefix = '', String $bind_socket = '' | -%>
+#!/bin/bash
+
+export DOCKER_HOST="<%=$bind_socket%>"
+ARGS="$@"
+
+# Extract the network namespace UUID from the command line args provided by
+# neutron. Typically of the form (with dnsmasq as an example):
+#
+# dnsmasq --no-hosts --no-resolv --except-interface=lo \
+#   --pid-file=/var/lib/neutron/dhcp/317716b8-919a-4a6f-8db1-78128ec3b100/pid  \
+#   --dhcp-hostsfile=/var/lib/neutron/dhcp/317716b8-919a-4a6f-8db1-78128ec3b100/host ...
+ROUTER_ID=$(echo $ARGS| awk '{if (match($0, /(\w{8}-\w{4}-\w{4}-\w{4}-\w{12})/,m)) print m[0] }')
+NAME=neutron-keepalived-<%=$ns_prefix%>-${ROUTER_ID}
+
+docker stop $NAME || true
+docker rm -f $NAME || true
+
+docker run --detach \
+    -v /var/lib/config-data/puppet-generated/neutron/etc/neutron:/etc/neutron:ro \
+    -v /lib/modules:/lib/modules:ro \
+    -v /sbin/modprobe:/sbin/modprobe:ro \
+    -v /run/netns:/run/netns:shared \
+    -v /var/lib/neutron:/var/lib/neutron \
+    --net host \
+    --pid host \
+    --privileged \
+    --rm=true \
+    -u root \
+    --name $NAME \
+    <%=$image_name%> \
+    ip netns exec <%=$ns_prefix%>-${ROUTER_ID} /usr/sbin/keepalived -n -l -D $ARGS

templates/neutron/neutron-keepalived-state-change.epp

@@ -0,0 +1,32 @@
+<%- | String $ns_prefix = '', String $bind_socket  = '' | -%>
+#!/bin/bash
+
+export DOCKER_HOST="<%=$bind_socket%>"
+ARGS="$@"
+
+# Extract the network namespace UUID from the command line args provided by
+# neutron. Typically of the form (with dnsmasq as an example):
+#
+# dnsmasq --no-hosts --no-resolv --except-interface=lo \
+#   --pid-file=/var/lib/neutron/dhcp/317716b8-919a-4a6f-8db1-78128ec3b100/pid  \
+#   --dhcp-hostsfile=/var/lib/neutron/dhcp/317716b8-919a-4a6f-8db1-78128ec3b100/host ...
+NS_ID=$(echo $ARGS| awk '{if (match($0, /(\w{8}-\w{4}-\w{4}-\w{4}-\w{12})/,m)) print m[0] }')
+NAME=neutron-keepalived-<%=$ns_prefix%>-${NS_ID}
+
+# The state change daemon only runs as a daemon for the moment so we need to
+# run it within an existing container with a sensibly matching lifetime.  The
+# related keepalived container seems an obvious choice.
+
+container_id=`docker ps --filter name=$NAME --format "{{.ID}}"`
+
+if [[ -z $container_id ]];
+then
+    echo "WARNING: keepalived container is not running."
+    exit 0
+fi
+
+docker exec --detach \
+    -u root \
+    --privileged \
+    $NAME \
+    ip netns exec <%=$ns_prefix%>-${NS_ID} /usr/bin/neutron-keepalived-state-change $ARGS

templates/neutron/radvd.epp

@@ -0,0 +1,30 @@
+<%- | String $image_name = '', String $bind_socket = '' | -%>
+#!/bin/bash
+
+export DOCKER_HOST="unix:///var/run/docker_container_mount/docker.sock"
+export DOCKER_HOST="<%=$bind_socket%>"
+ARGS="$@"
+
+# Extract the network namespace UUID from the command line args provided by
+# neutron. Typically of the form (with dnsmasq as an example):
+#
+# dnsmasq --no-hosts --no-resolv --except-interface=lo \
+#   --pid-file=/var/lib/neutron/dhcp/317716b8-919a-4a6f-8db1-78128ec3b100/pid  \
+#   --dhcp-hostsfile=/var/lib/neutron/dhcp/317716b8-919a-4a6f-8db1-78128ec3b100/host ...
+NETWORK_ID=$(echo $ARGS| awk '{if (match($0, /(\w{8}-\w{4}-\w{4}-\w{4}-\w{12})/,m)) print m[0] }')
+NAME=neutron-radvd-${NETWORK_ID}
+docker stop $NAME || true
+docker rm -f $NAME || true
+
+docker run --detach \
+     -v /var/lib/config-data/puppet-generated/neutron/etc/neutron:/etc/neutron:ro \
+     -v /run/netns:/run/netns:shared \
+     -v /var/lib/neutron:/var/lib/neutron \
+     --net host \
+     --pid host \
+     --privileged \
+     --rm=true \
+     -u root \
+     --name $NAME \
+     <%=$image_name%> \
+     ip netns exec qrouter-${NETWORK_ID} /usr/sbin/radvd -n $ARGS